CVE-2026-35487 Overview
CVE-2026-35487 is a path traversal vulnerability affecting text-generation-webui, an open-source web interface for running Large Language Models. Prior to version 4.3, an unauthenticated path traversal vulnerability in the load_prompt() function allows attackers to read any .txt file on the server filesystem. The file content is returned verbatim in the API response, potentially exposing sensitive configuration files, credentials, or other text-based data stored on the server.
Critical Impact
Unauthenticated attackers can read arbitrary .txt files from the server filesystem, potentially exposing sensitive configuration data, credentials, API keys, or other confidential information stored in text format.
Affected Products
- oobabooga text-generation-webui versions prior to 4.3
Discovery Timeline
- 2026-04-07 - CVE-2026-35487 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35487
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), allowing attackers to access files outside of intended directories by manipulating file path inputs. The load_prompt() function fails to properly sanitize user-supplied input, enabling directory traversal sequences (such as ../) to escape the intended prompt directory and access arbitrary .txt files anywhere on the server filesystem.
Since text-generation-webui is commonly deployed in AI/ML environments, servers may contain sensitive configuration files, API keys for LLM providers, training data, or internal documentation in text format. The unauthenticated nature of this vulnerability significantly increases the risk, as no credentials are required to exploit it.
Root Cause
The root cause is insufficient input validation in the load_prompt() function. The function accepts user-controlled file paths without properly sanitizing or validating them against directory traversal sequences. This allows attackers to use path manipulation characters like ../ to navigate outside the intended prompt storage directory and access arbitrary text files on the system.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft a malicious API request to the load_prompt() endpoint containing directory traversal sequences in the filename parameter. The vulnerable function processes this input without adequate validation, reads the specified file from the filesystem, and returns its contents directly in the API response.
For example, an attacker targeting a Linux-based deployment could attempt to read system configuration files or application-specific text files by manipulating the path parameter. The vulnerability is limited to files with the .txt extension, but many sensitive files such as notes, configuration backups, and credential exports use this extension.
Detection Methods for CVE-2026-35487
Indicators of Compromise
- Unusual API requests to the prompt loading endpoint containing ../ or encoded path traversal sequences
- Access log entries showing attempts to load prompts with suspicious path patterns
- Unexpected file access events for .txt files outside the designated prompt directories
- API responses containing system file content or error messages indicating path traversal attempts
Detection Strategies
- Monitor web server and application logs for path traversal patterns such as ../, ..%2f, %2e%2e/, or similar encoded sequences
- Implement Web Application Firewall (WAF) rules to detect and block directory traversal attempts
- Review access logs for requests to the load_prompt() endpoint with anomalous path parameters
- Deploy endpoint detection solutions to identify file read operations outside expected application directories
Monitoring Recommendations
- Enable verbose logging for the text-generation-webui application to capture all file access attempts
- Configure alerts for file access events on sensitive text files such as configuration or credential files
- Implement network monitoring to detect unusual API request patterns targeting the vulnerable endpoint
- Establish baseline behavior for legitimate prompt loading operations to identify anomalous activity
How to Mitigate CVE-2026-35487
Immediate Actions Required
- Upgrade text-generation-webui to version 4.3 or later immediately
- If upgrade is not immediately possible, restrict network access to the application using firewall rules
- Implement authentication in front of the web interface to prevent unauthenticated access
- Review server logs for any indication of exploitation attempts
Patch Information
The vulnerability has been fixed in text-generation-webui version 4.3. Users should upgrade to this version or later to remediate the vulnerability. For detailed information about the fix, refer to the GitHub Security Advisory GHSA-mfgg-vvc6-vqq7.
Workarounds
- Deploy a reverse proxy or WAF in front of the application to filter path traversal attempts before they reach the vulnerable endpoint
- Restrict network access to the text-generation-webui instance to trusted IP addresses only
- Implement authentication mechanisms such as HTTP Basic Auth or OAuth at the network layer if the application lacks built-in authentication
- Run the application in a containerized environment with minimal filesystem access to limit the impact of successful exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
